KR20060029191A - Dynamic network parcel management system and method - Google Patents

Abstract

A system and method for providing dynamic network parsing management are presented. According to the system of the present application, the network administrator can control the use of the network service during the start of the network session and the session period. The system herein utilizes a method of identifying selectable characteristics of an attach function to build static and dynamic parcels, wherein the parcels are configured to monitor and detect specified triggering events or activities, thereby providing a means of network discovery. It can be modified before, after, or in the middle of any session. The specific parsings associated with the particular attach functions identified in the previous session are cached or stored, allowing for faster provisioning of network usage in subsequent sessions. The systems and methods herein provide static and dynamic parcel allocations for providing network use.

Description

Dynamic network parsing management system and method {SYSTEM AND METHOD FOR DYNAMIC NETWORK POLICY MANAGEMENT}

The present invention relates to a comprehensive and continuous control of the use of network services. In particular, the present invention relates to static and dynamic policy allocation for providing network services.

Computation systems are a useful means for exchanging information between individuals. This information includes data, voice, graphics, video, and the like. This exchange is implemented through interconnections linking together computational systems that allow the transmission of electronic signals representing information. The interconnections may be cable or wireless. The cable connection may comprise metal or fiber optic elements. Wireless connections may include, for example, infrared, acoustic, and radio transmissions.

Interconnected computing systems of some kind of commonality are represented by networks. For example, individuals connected to a university campus may each have one computing device. In addition, there may be a shared printer, and there may be remote location application servers on the campus. There is a commonality among individuals that all of these individuals are linked in some way to the university. There is a commonality between individuals and their computing devices in other environments, including health maintenance facilities, production sites, and Internet access users. The network enables communication or signal exchange between multiple computing systems in a common group in some selectable ways. These computing systems represent an interconnection and the interconnection between devices that govern and facilitate the exchange of information between these computing systems. Moreover, the networks may be interconnected together to establish an internetwork. For purposes of illustrating the invention, the apparatus and functions for establishing an interconnection represent a network infrastructure. Users, computing devices, and other entities that use network infrastructure for communication are called attached functions, and will be discussed further. The combination of attach function and network infrastructure will be called a network system.

The process by which various computing systems in a network or internetwork communicate is regulated by network interface cards and circuits, and by agreement signal exchange standards and protocols realized by software, firmware, and long, microcoding algorithms. These standards and protocols derive from the need and desire to provide interoperability among arrays of computing systems available from multiple suppliers. The two organizations responsible for standardizing signal effects are the Institute of Electrical and Electronic Engineers (IEEE) and the Internet Engineering Task Force (IETF). In particular, an IEEE standard for internetwork interoperability is being built or under construction. It is built within the realm of the IEEE 802 committee on LAN and Metropolitan Area Networks (MAN).

Recognized organizations focus on the mechanical structure of network and internetwork operations and are indifferent to regulations and restrictions on network access or to provision of services related to the network. Currently, access to applications, files, databases, programs, and other functions associated with an individual network is limited based on the identity of the user or network attach function. For the purposes of the present invention, a "user" corresponds to a person who interfaces with a computing device to a service associated with a network. For clarity of description, a "network attached function" or "attached function" may be a computing device and a network interface device, an attach device connected to a network, a function using a service of a network, or The user may be a user connected to the network through a function for providing a service to the network or an application associated with the attach device. Once the attached attach function identity is authenticated, the attach function may access the network service at an acceptable level during this identification process. "Network Service" means access, quality of service, bandwidth, priority, computer programs, applications, and databases that can be used or manipulated by attach functions to conduct business of a company using a network as a corporate asset. , Files, and network and server control systems. The principle when a network administrator grants permission for a particular attach function is the established network usage policy. For example, one policy may be that any user with a worker identification number (a kind of attach function) is granted access to an enterprise's electronic mail system at a particular bandwidth and QoS level.

Currently, network administrators build parcels. Parcels are defined and regulated through a parcel server controlled by the administrator. The constructed parsers are sent to the network interface devices of the network infrastructure of the connection point or port. As part of the authentication process, a specific set of parsers is built by the administrator for the corresponding attach function. In other words, the port to which the attach function is attached to the network infrastructure is configured to execute the parse. For example, QoS, bandwidth, priority levels may be set to a predetermined value for the identified attach function, and may be set to another level for another attach function. If a parse set is built for that attach function, there is no coordination mechanism to revise the parse set at any time during the network connection based on environmental changes.

Unfortunately, events and activities that are harmful to the network system occur. Harm to network systems includes, for example, denying access, causing intentional congestion of network computing resources, intentionally reducing available bandwidth, limiting, denying, or modifying network-related information. There are two types of network protection techniques available to minimize the harm to this type of network. Firewalls are designed to block delivery of packets to the network based on certain limited specific conditions associated with the packets. The firewall prevents you from modifying the allocated parcels. An instruction detection system (IDS) is designed to observe the usage patterns of packets entering or residing in a network infrastructure with packets, packets, states, and harmful behavior. However, the available IDSs only report the presence of potentially harmful side effects and do not implement the resulting parsing modifications. Arbitrary adjustments to the state of use of an authorized attach function network are typically made manually after evaluation of the detected side effects. Based on detecting one or more conditions that would cause these changes to be enforced by the network, there is currently no comprehensive function for coordination or changes by the network of assigned network use authorizations and continuous network system monitoring. .

In some limited cases, network usage (specifically, subsequent use of such services after first entering the network system for network service access) may be restricted for reasons other than user authentication. For example, an attach function that wants to use individual network systems over dial-up or virtual private networks may be isolated from certain network services. This is because private network entry is through public portals (eg, the Internet). In certain learning settings that provide a wireless connection, network usage may be limited based on detection of an attach function that seeks to find unauthorized access to a specified restricted network service. However, based on differences from user identity authentication, these isolated efforts in network user control are insufficient for complete network control and security. Thus, there is a need for a comprehensive, integrated system that always controls network usage for all attach functions.

In a general aspect, the present invention provides a dynamic parsing system that allows a network administrator to comprehensively control general network usage, or specific network service usage, based on triggers detected, present, or generated at any time in network usage; The present invention relates to a related method. When attempting to modify the assigned set of parsers, the trigger is the detection or observation of an event, activity, occurrence, information, or characteristic identified in the network system by the network administrator. The types of triggers that define usage restrictions may be of the type of interest to the network administrator, for example, may be related to user authentication, which is commonly understood. Examples of related triggers will be provided here. The system structure may vary and may include any kind of data network. For example, it may include a LAN, a MAN, a WAN, a personal area network (PAN), a virtual private network (VPN), and a home network. The system can be used in one of a variety of ways to improve network utilization, configuration accuracy, network resource allocation, control, security, and the like.

When the network administrator first authenticates the identity of the attach function, the network administrator queries the attach function to find network service usage for information deemed relevant to the use of the network service. The information that appears may additionally be associated with a level of trust parameters, so that it can determine whether the information queried is trustworthy and can be trusted by the system to authorize or restrict its use. The degree of use can be managed based on the type of use and the associated trust level established. Moreover, this use may be regulated based on information that may be independent of the attach function response to the selectable query. For example, if some form of network virus is unknown that is not yet known to the network administrator, all attach functions can be executed to disconnect from the network infrastructure, and be refreshed before regaining all or a specific portion of the network system usage. Re-authentication and validation of the addition of a virus detection function suitable for detecting the identified virus may be required. That is, the dynamic parsing system of the present invention can control network usage for reasons independent of attach function identification, in addition to control based on attach function identification. This usage control is established by statically and dynamically setting the parsers based on the information provided by the attach function, independently obtained information, and any identifiable triggers.

The system includes, for control, attach function activity and events as well as a mechanism for monitoring all network activity that is deemed relevant. Changes in network activity, defined as triggers by the network administrator, are specified in order to modify the static and dynamic parcels, or at least to assess whether they are modified. As mentioned earlier, a trigger is a random change in the network system, for example, a timer-based network of interest to the network administrator to define one change to modify the assigned set of parcels or to evaluate those modifications. System change. Examples of triggers include timer expiration, adding or removing communication links, or adding or removing other network services, terminating communication sessions, changing credentials in attach functions, triggering firewall or IDS alarms, and new attach functions. Network joins, prompts by management stations, and specific motion detection of attach functions. Network usage may be limited for this trigger and other types of triggers for a specified time period, or until completion of a task intended to resolve the identified trigger. Moreover, network utilization parcels of any number can be built dynamically or statically based on trust levels associated with the attach function or selectable parameters including data from the attach function.

In one aspect of the invention, a method of controlling the use by one attach function of network services associated with a network system is presented. This way,

a. Obtaining information associated with the network system,

b. Setting one or more static policies for network service usage by the attach function,

c. Establishing one or more dynamic parsers for network service usage by the attach function,

d. Monitoring a trigger change of the network system, and

e. Modifying the static parser, dynamic parser, or both based on the detected triggers

It includes.

In another aspect of the invention, there is a fabrication technique that includes a machine-readable medium that stores executable command signals that cause a machine to execute the method described above and other related methods herein.

1 is a schematic block diagram of a network system utilizing the integrated comprehensive access control of the present invention.

2 is a flow chart of redundant network access control of the present invention.

3 is a flow diagram of a process for setting up static and dynamic parcels, monitoring for identified occurrences, and resetting static and dynamic parcels.

4 is a table listing information, occurrences, dynamic and static parsers for controlling network system access and use through the parlor systems and methods of the present invention.

The present invention is directed to a system and related methods for providing policies to attach functions in a dynamic manner. In FIG. 1, the network system 100 incorporating the functionality of the parser system of the present invention provides network services to the attach function in accordance with the parse that is assigned to the attach function. The network system 100 includes a network infrastructure 101 and one or more attach functions connected to the network infrastructure 101. Network infrastructure 101 includes an Internet connection that can be connected through several switching devices, routing devices, access points, MAN, WAN, VPN, and connection points (eg, 102a-k). The parsing system of the present invention can use both hardware and software to establish network usage control at all times in the entire network system 100 as described below. The attach function may be external to infrastructure 101 and form part of network system 100. An example of attach functions 104a-d is shown in FIG. 1, which may be any of the types of attach functions identified first. The network infrastructure entry devices 105a-b of the infrastructure 101 provide a means for coupling an attach function to the infrastructure 101. The network entry device may include or be associated with a wireless access point 150. In the case of wirelessly connecting the attach function to infrastructure 101, wireless access point 150 may be a separate device external or internal to network entry device 104b. Central switching device 106 implements the interconnection of multiple network entry devices as well as access to network services, such as parcel server 103 or application server 107. The central switching device 106 further adds the interconnection of the network infrastructure 101 to attach functions including a VPN (represented by the VPN gateway device 120) and a WAN (represented by the Internet cloud 130). Implement

One or more of the devices of infrastructure 101 includes a dynamic parse function module 108. The dynamic parcel function monitors whether the network is triggered, determines whether to modify the assigned parcel set, and includes sub-functions about how to force the allocated parcel set if modified. . The dynamic parse function module 108 of a particular device of infrastructure 101 may include one or more of the three identified subfunctions. It can be assumed that under the control of the network administrator, the parsing server 103 will have the primary responsibility for determining allocation and modification of the parsing set. However, it is also conceivable that some decisions may be made in module 108 of the network device. That is, for example, the module 108c of the central switching device 106 may include the decision subfunctions of the network entry devices 104a, 104b, and the module 108a, of the network entry devices 104a, 104b, and the like. 108b) may have a monitoring and enforcement subfunction for this attach function. Additionally, there may be network devices that do not have any dynamic parse function module 108. Instead, these "dumb" devices can simply provide packet switching functionality, leaving monitoring, decision making, and enforcement functions to other devices in infrastructure 101. Dynamic parcel subfunctions will include the algorithms and processes needed to identify information about attach functions, monitor network activity, execute parcel sets, and make decisions about allocated parcels. Can be. Module 108 may be implemented in hardware or software. For example, certain software, firmware, or microcode functions executed on network infrastructure devices may provide function monitoring, parsing enforcement available within network infrastructure devices, and parsing decision making. Alternatively, or in addition, hardware modules such as a programmable array can be used in the device to provide some or all of these functions.

In the network system 100 of FIG. 1, attach functions, such as service 104a, are attached to infrastructure 101 via cable 109 via connection point 102a (eg, a jack in a wall). Similarly, network infrastructure entry devices 105a-b and central switching device 106 are connected to each other at connection points 102g-h using cables 110, 111. In the portion of the network using the cable, the connection points 102a-j are terminals of the cable to which the device is physically bonded. The connection port (eg 112) is a physical port through which it communicates with network clients.

Access by the attach function to network services associated with the network system 100 includes a set of static and dynamic parsers, called a set of parsers, for the attach function. The parse sets are built by the network administrator. Information about the attach function that makes access to the network service and the parse set may be stored centrally or in a distributed fashion (eg, local storage). In one example of a centralized approach, the parser system of the present invention stores the parser set information and attach function for all connection points of the network system 100 in a server, such as the parser server 103. In one example of a decentralized approach, the parsing system sends the parsing set information and attach functions for all attach functions to one or more of the local network devices 105a-105b, 106 of the network infrastructure 101. Save it.

The system of the present invention, based on the permission provisions established by the network administrator, can execute the built and generated parcels on an initial and continuous basis. It can limit the use of network systems and their services based on the nature of attach functions, establish network infrastructure connections through specific connection points, and also network systems that are or are not related to attach functions. Based on the event, the use of the network system and its services can be restricted. Every parse set can be directed to every network entry device. Alternatively, a parser set can be allocated between network entry devices and attach functions that are forced to a particular connection point based on the established parser set. Several parcels will be applied at connection points, some of which will have redundant uses. Also, some parsers configured at the network entry device may apply to some attach functions and not others.

As shown in FIG. 2, the preliminary process of network entry 200 of the present invention includes the initial steps of the overall process of regulating the use of network system 100 throughout a network session. The entry process 200 uses a computing device such as a computer to initiate a connection to a network entry device at a connection point, or when the attach function initiates a network entry request (step 201) by booting up the network entry device. It can be started using a conventional entry method. The network control system then initiates the attach function authentication method (step 202).

Entry into network system 100 and infrastructure 101 is as follows: Network Operating Systems (NOS), Remote Authentication Dial-In User Service (RADIUS) (initiated in IETF Request For Comment (RFC) 2138), IEEE 802.1X It can be initially regulated using an authentication system such as a standard (providing port based network entry control based on MAC identifier). In the case of NOS and RADIUS, the authentication server provides a mechanism for establishing this authentication. In the case of the IEEE 802.1X standard, network entry devices 114 may be configured using this authentication function, as described in more detail in this standard. The IEEE 802.1Q standard provides another means of controlling network usage. This standard is aimed at the construction and operation of VLANs. The IEEE 802.1Q standard specifies the configuration of a network device for packet reception at a configured port entry module. The firewall also provides network entry control technology based on the packet analysis function described above.

In addition to obtaining the attach function information needed to authenticate access to network services, query the attach function (step 203) because this additional information identified by the network administrator is important for accessing the associated parcel. The parsing system is configured. This additional information includes the attach function location, attach function configuration, attach function operating system, attach function security characteristics, user location, and network entry port information. However, it is not limited thereto. Based on the information obtained using standard authentication (step 202) and additional attach function information query (step 203), the system 100 pre-determinates the permission of the attach function for network service access (step 204). ). If the obtained information is authenticated or accepted, the attach function enters the network usage control process (step 205). If the authorization information or additional attach function information is insufficient to permit a preliminary network entry (eg, incorrect password or unknown location of the user), network entry is denied (step 206). This process 200 also includes checking whether an additional challenge has been established based on a preliminary grant entry into the network infrastructure 101, or whether an additional external challenge has been established by a dial-up service or the like. (Step 207). If not, the attach function is allowed to continue network fetching (step 205). If there is such an additional challenge, then network entry permission is further considered (step 208). If the challenge passes, entry is allowed. Otherwise, entry is denied.

Referring to FIG. 3 and the network usage control process 300, when a preliminary entry into the network infrastructure is allowed and access to the network service is permitted (step 301), the attach function requesting the use of the network service is requested. The system first queries whether the history of the usage parser has been cached or stored (step 302). Stored parcels can be grouped into static or dynamic parcels. For illustration purposes, static parsing is a parsing that is substantially maintained for the attach function from one session to another until changed by the network administrator. Dynamic parcels, on the other hand, are the only parcels that can be granted during the start of a session and during a session, and are not subjects to be automatically granted at the start of a new session. The parcel history may be a value that determines future static parcel authorization, previous dynamic parcel authorization, system side effects, or network usage optimization. Examples of static and dynamic parsers will be listed herein.

If the answer to the query in step 302 is yes, then a parse history is obtained (step 303). The parse history can include user information, access device information, connection point information, previous network usage parameters, access location, previous set parsing conditions, or any combination thereof. As in the parcel server 103, the history may be stored remotely, and the history may be stored or cached locally on the switch / router to which the attach function is directly or indirectly connected. Local caching can speed up the process by which the use of attach functions is allowed, and remote storage allows access to more complete history information for a larger number of attach functions. Some or all of the allocated parcels may be stored or cached locally. In the case where existing parcel information is stored, the decision on the subfunctions of system 100 may be configured to establish a vertical rule for the stored allocation parcel information. For example, the decision of the subfunction can determine whether a stored set of parsers will be ignored by a locally cached set of parsers, or whether locally stored or cached parsers ignore remotely stored ones. You can decide. Regardless of the history storage mechanism used, the system additionally determines whether the acquired static parcel remains valid and should be executed for the attach function (step 304).

If there is no parsing history for the attach function, the system sets up static parcels based on the information obtained in step 200 (step 305). For example, if a building's conference room has an access port that is restricted for office guest permissions, this condition is a static condition. That is, during all sessions at all times, non-workers will be denied access to the corporate network for all purposes except the Internet connection. If a non-worker specific user wants to use Internet access for the first time from this meeting room, the same user attempts to use the same passthrough network from the same location a second time, so that a static use parlor permission already exists and Internet access is realized quickly. Information may be stored or cached on the local switch. The network administrator can define the state of a particular parcel. In some instances, no static parcels may be present, and a static parcel may be only a dynamic parcel without a static parcel. The network administrator can change any static parcel into one dynamic parcel, and change any dynamic parcel into a static one.

In FIG. 3, dynamic parcels are set when a history based static or static parcel is constructed (step 306). The types of dynamic parcels that the attach function can initially be assigned by the network administrator are almost unlimited, ranging from full use of all network services to minimum Internet or email use with limited QoS and bandwidth. Have Dynamic parcels may include parcels that may be static parcels under specified conditions. Alternatively, some dynamic parcels can be converted to static parcels. The number of dynamic parsers assigned to the attach function is limited only by the number of different sets of parse conditions the network manager wishes to build. Some examples of parcels will be described.

Once the dynamic parcels are determined, these parcels are logged by the system (step 307) and stored (step 308). That is, the network manager first registers the static and dynamic parsers assigned to the attach function, and then stores the first parse set history. As mentioned, assigned parcels (static and dynamic parcels) can be modified at any time during or between sessions, and their state can also be changed. Thus, the log identifies the current state of the parcels for the attach function, and history provides a record of the built parcels. This is limited by storage constraints. The built static and dynamic parsers are assigned to the attach function, which can use the network services belonging to these parses (step 309).

The types of network usage parsers assigned are not just related to network entry or network exit, but to all network service usage. Furthermore, the parcels are related to a particular attach function, or to some or all of the network system 100, or not to the network infrastructure 101 or the attach function to use the services. Based on the triggering of an event or condition, it can have a time limit component.

The system of the present invention provides network system 100 for events, activities, and occurrences, as defined by the administrator, corresponding to a trigger for changing or evaluating whether the set of static / dynamic parsers initially established. It is configured to be monitored by the network administrator. Although monitoring of network system 100 preferably includes monitoring of all attach functions and network infrastructure 101, some of all attach functions, portions of network infrastructure 101, or any between them. It may be limited to the combination of. In practice, monitoring corresponds to the continuous observation of network traffic as well as the identified external events that the administrator is considering. In general, past parcel management was very static, and the configuration was implemented by manual review of various network and user data and then by input from a network administrator. However, there are a number of mechanisms for automatically monitoring the status and use of network link L2 structures, L3 structures, and port and attach functions. Remote Monitoring (RMON) tools and Simple Network Management (SNMP) Management Information Bases (MIBs) are a valuable and valuable way to collect network infrastructure devices, attach functions, links, network status, and status. It is provided as an input to generate an event to trigger a parsing change. Input ports for access switches and routers can classify traffic based on all layers of the International Standards Organization (ISO) seven-layer structure model. All data fields of the packet can be used with static and rate based inputs to enter the event monitor. Events can be generated by various software algorithms, hardware triggers, and functions such as IDS outputs or firewall triggers. Events can be monitored on a per port basis, but many are better suited for distributed models with local and remote input.

When detecting the triggers observed in the monitoring phase, the parsing system builds a new dynamic parcel set, leaves the first static parcel set in place, sets new static and dynamic parcels, or network infrastructure. The process of forcing the attach function out of the rusted structure 101 initiates a process requiring re-entry through all or part of the entry process 200 (step 311). That is, when the attach function can be preset in the first set of static / dynamic parsers, the usage constraints related to the attach function can be changed by forcing the attach function to another set of parsers. For example, the attach function assigned a certain set of parcels may be forced to return to step 306 to determine the currently authorized dynamic parcels, in accordance with the occurrence of one or more of any triggers identified by condition A. have. This may or may not be different from what was previously built. Such condition A may include network infrastructure change, attach function change, parsing change, service change, application change, and timeout. Other conditions may also force a change in the allocated dynamic parcels.

Referring to FIG. 3, the attach function assigned a certain set of parcels may be forced to proceed back to step 306, in accordance with the occurrence of one or more of any of the triggers identified by condition B, which are currently authorized. Static parcels can be determined. These static parcels may or may not be different from those previously explored. One example of condition B that will force a static parcel change is the detection of a specific virus on the network system 100. Finally, upon occurrence of one or more of any of the triggers identified by condition C, the attach function must reenter the network via process 200 and repeat process 300.

In all instances, any subsequent parsing set changes caused by the establishment of the initial parsing set and the triggering condition being monitored are logged and stored in the storage parcel history (step 308). The stored parcel history information is made available to all of the functions described herein, including static parcel decision step 305 and dynamic parcel decision step 306 (step 312). This information is further provided to the monitor function (step 310) as part of the information to be observed upon trigger detection. That is, for example, when observed on a flow-by-flow basis, certain attach functions may perform activities that appear to be in compliance with the accepted network usage, in isolation. However, when observing these activities broadly (eg, for the entire session or for a series of sessions), they may constitute a triggering event. For this reason, the stored parcel history is also fed to the monitoring function of the system herein.

Through the path of linkage of the network system with the attach function, the parsing system of the present invention can attach to the attach function, the network infrastructure 101, and other triggers that can signal the need for a change in the parser. Continuously monitor the activities of the attach function. The system is configured to evaluate the original information of specific triggering conditions and attach functions. Based on the specific triggering conditions and the original information, a decision can be made to change the parsing for the attach function. Then new parsers are applied to the entire network system 100 or port, and the attach function now needs to be updated with the new one. Example parsers are listed in column 3 of FIG. 4. One example may be a low bandwidth limitation of an application based on a failed link in the network infrastructure core, or the removal of constraints after the link returns to service. The new parcels may be the same as the most recently assigned parcels for a port or switching device, and the change in parsing for other ports or devices may be a trigger for a local parcel change. Such evaluation of information and triggering conditions is preferably continuous, but may be made to be triggered periodically, sporadically, or manually by a network administrator.

The array of entry information, triggers, and parsing sets is nearly unlimited. For example, in addition to the standard username and password information, other entry information may include wired connection, wireless connection, VPN terminal, dial-up entry, network port entry, user device, device operating system, virus scan level, and seeking network. It may include the kind of use. Available parse sets are nearly unlimited, allowing for guest services only (eg Internet access using only network-built tunnels), guest access to internal network computing devices, IDS monitoring (i.e. port mirroring all traffic to IDS services). ), Logging all activity on correlated ports, honeypotting the ports (that is, sending all relevant traffic on the ports to the network or server simulator), Layer 2 protocols, Layer 3 protocols, IP, IPX, Layer 4 -7 application filtering, user group limitations, service-based QoS features, attach functions and applications, call detection and priority bandwidth limitations, bandwidth limitations by services for ingress and egress, and lack or use of VPN tunnels. Based service restrictions, location based services, user location based applications, user location based Includes for the data, hourly services, and time-based services (that is, if not a member (CEO, CFO, COO of selected groups) a high priority in the short window priority file transfer), and the like.

Evaluating and modifying the parser set or modifying the parser on a per-session, per-port, per-flow basis, per-user basis, per-attach function per unit, per application application per unit, per-build timer per unit, and per network service availability per unit. , And so on. Regarding changes made to a set of parsers based on network service availability, the conditions or events in this case that could trigger the change are: spanning tree reconfiguration, meshed link failing. WAN link failures, high error rates on links, trunk group member failures, network device failures, network device changes, link maintenance, and other network infrastructure changes. Additional parsers that can be allocated based on any trigger or attach function information related to entry and exit to the port include bandwidth limitations, authorized source addresses, filter multicast and outgoing traffic, protocol constraints, private VLANs, and grants. No flooding traffic permitted, and access characteristics and mirroring of filters.

4 lists the types of information variables that can be used to determine static and dynamic parcels. 4 further provides a list of triggering events, activities, or occurrences that may cause a change in dynamic or static parcels. 4 also provides a list of types of parcels that may be changed, which may be either static or dynamic. 4 provides a representative sampling of information, activities, and parsers that can be identified, inspected, and altered in accordance with the system herein. Static parcels can be converted to dynamic parcels and dynamic parcels can be converted to static parcels. Any packet-based information to and from the local connection port, any network information, any attach function information (including all other ports), any algorithm-derived information based on history, time, date, or all this data May be a kind of information presented in column 1 of FIG. 4. The arbitrary change to column 1 or column 3 may be the change triggering event of column 2 of FIG. Moreover, the degree of control may vary for any of the parcels identified in column 3 of FIG. 4.

The parsing system of the present invention is configured to manage and update information related to the network infrastructure 101 and attach functions of the network system 100 in a central database, including the stored parcel history. Alternatively, the stored parcel history can be stored distributedly as if it were stored or cached on the local network access device. The information contained in the database may change. For example, a table with information may form part of a database or may be accessed by a database. This table may correlate each attach function with one or more access devices, one or more access connection points, requested applications, requested priorities, and other information of the kind represented in FIG. 4. If the allocated parsing information is cached centrally, distributedly, or locally, time, size constraints, storage constraints, changes in parsing caching, allocated parsing changes, or other events, conditions Or, based on a trigger in the network system 100 of another kind, may be invalidated or removed as desired by the network administrator.

Using the above technique, the system of the present invention may restrict access to the network system 100 and network services. Examples of network systems and services may include data, applications, dedicated network infrastructure devices, data and network services, QoS levels, network tools, and the like based on attach functions and connection points and monitored triggers. Can be. This connection point allows the attach function to seek network utilization. In addition to the above description, system 100 may utilize the information specified to effect modification of the usage requirements. For example, if the attach function is authorized to use network services through a connection point that is considered insecure (for example, an edge switch port associated with an external Internet connection), the parsing system initiates an enhanced connection such as a VPN. Prompts can be given to the attach function, or the attach function can be informed of the application of complementary constraints when in the non-secure area. More generally speaking, this can be thought of as an extension of the parse-based use that the usage rules for individual attach functions can be adapted at any time for any reason. The parses may change depending on the access request, during the session, or during the exchange flow.

As mentioned above, the system and related methods herein utilize a centralized parser server 103 that includes network usage policy enforcement and decision making functions. It may further include a parcel information database. As also mentioned, this functionality may be distributed throughout infrastructure 101. As shown below, in the example of a distributed system, devices inside and outside the network infrastructure 101 may additionally manage the parsing information that affects its operation. To reiterate, the parsing information can be stored in the centralized parsing server 103, distributed and stored locally or cached to quickly implement access and access authorizations established by the designated parsing. Can be.

1 shows a dynamic parse function module 108 as a component of the devices of infrastructure 101. Information indicative of one or more dynamic parcel subfunctions associated with a particular network device or one or more network devices attached to a particular network device may be preloaded into module 108 in the form of a parse database. The parse database of each device may be the entire parse database of network system 100, or may be part of the database. In particular, the portion of the database included in the module 108 of the device may be the portion correlated to the connection point applicable to the particular device. For example, all connection points can be correlated with a portion of a particular network entry device. Module 108 may include the table of FIG. 4. The table of FIG. 4 is an updatable table that changes with additions or deletions of information, triggers detected, and static and dynamic parses. In addition, a table specifying the actual parsing is preferably generated and may be stored or cached locally and called in a later session based on the attach function information.

The following is a list of some of the possible devices that can have one or more of the dynamic parse subfunctions and a parse server. Examples include network connection voice for IP / voice in data systems such as network switches, data switches, routers, firewalls, gateways, computing devices such as network file servers or dedicated-use servers, management stations, hybrid PBXs, and VoIP call managers. Network layer address configuration / system configuration servers, such as enhanced DHCP servers, enhanced bootstrap protocol servers, routers that implement IPv6 address discovery, and network-based authentication servers that provide services such as RADIUS Extended Authentication Protocol / IEE 802.1X. .

In one example, the network system 100 may utilize SNMP to provide usage information to a distributed database. The network manager provides parsing information of the terminals of the network cable associated with the attach function in the SNMP ifDescr variable. For example, ifDescr has a read-only attribute, but according to various systems the network operator can name the port, which will then be displayed in the corresponding field. Module 108 of the network infrastructure device reads terminal information via SNMP. In another example, MIB parameters may be constructed or MIB parameters may be used to obtain and set tables of information, triggers, and parsing options. The MIB may be used to populate a table of dynamic and static list information for storage and caching.

Another variation of the above example can be implemented. One variant is that the illustrated procedures may include additional steps. Moreover, the order of the steps may be reversed and some steps may be executed in series or in parallel. For example, determination of static and dynamic parcels can be implemented in parallel.

In addition, the processes and steps of the present invention may be implemented as computer program products such as computer-readable signals on a computer-readable medium, such as a nonvolatile recording medium or an integrated circuit memory device. Such computer program products include computer readable signals that are tangibly embodied in a computer-readable medium, where such signals define instructions that are part of one or more programs that instruct various processes and steps to be executed by the computer. do. These commands can be written in Java, Visual Basic, C, C ++, Fortran, Pascal, Eiffel, Basic, COBOL, and so on. Computer-readable media storing such instructions may be located in one or more of the components of system 100 described above and may be distributed among one or more of these components.

Claims (40)

A method of controlling use by said one attach function of network services associated with a network system comprising an attach function, one or more other attach functions, and a network infrastructure, the method comprising: , a. Obtaining information associated with the network system, b. Setting one or more static policies for network service usage by the attach function, c. Establishing one or more dynamic parsers for network service usage by the attach function, d. Monitoring a trigger of the network system, and e. Based on the monitored trigger, modifying the static parse, dynamic parse, or both for the attach function. Usage control method by the attach function, characterized in that it comprises a. The method of claim 1, wherein the method is Storing the set and modified parsers associated with the attach function as a parse history for the attach function. Usage control method by the attach function, characterized in that it further comprises. The method of claim 2, wherein the method is After obtaining information from the network system, querying whether the parse history exists for the attach function; Usage control method by the attach function, characterized in that it further comprises. 3. The attach function of claim 2, wherein the storing of the configuration and modification parsers associated with the attach function comprises caching all or a portion of the parse history at the network system device. Usage control method. The method of claim 4, wherein Invalidating the cached parse history based on the occurrence of a designated event. Usage control method by the attach function, characterized in that it further comprises comprising a. 6. The method of claim 5, wherein the specified event is selected from the group comprising time, size constraints, storage constraints, parsing changes, or network system changes. The method of claim 2, Evaluating whether the parse history contains any static parsers that may be set for the attach function of the current session. Usage control method by the attach function, characterized in that it further comprises. 2. The method of claim 1, wherein the trigger comprises timeout, attach function change, network infrastructure change, entry detection event, firewall event, administrator input, network service change, and network service change request. Usage control method by attach function. The method of claim 1, wherein the information includes attach function information, access device information, access port, number of devices per port, priority per port, priority per device, requested application, available exchange protocol, port security, access A method of controlling usage by an attach function, comprising a location and an access time. The method of claim 1, wherein only one dynamic parser is present in one static parser. A method of controlling the use by said one attach function of network services associated with a network system comprising one attach function, one or more other attach functions, and a network infrastructure, said method comprising: a. Obtaining information associated with the network system; b. Establishing one or more dynamic parsers for network service usage by the attach function, c. Monitoring a trigger of the network system, and d. Modifying dynamic parsers for the attach function based on a monitored trigger Usage control method by the attach function, characterized in that it comprises a. The method of claim 11, Storing set and modified parsers associated with the attach function as a parse history for the attach function. Usage control method by the attach function, characterized in that it further comprises. The method of claim 12, After obtaining information from the network system, querying whether there is a parse history for the attach function; Usage control method by the attach function, characterized in that it further comprises. 13. The method of claim 12, wherein storing the configured and modified parsers associated with the attach function comprises caching the parse history in a network system device. Usage control method. The method of claim 14, Invalidating the cached parse history based on occurrence of a specified event Usage control method by the attach function, characterized in that it further comprises. 16. The method of claim 15, wherein the specified event is selected from the group comprising time, size constraints, storage constraints, parsing changes, or network system changes. 12. The method of claim 11, wherein the trigger comprises timeout, attach function change, network infrastructure change, entry detection event, firewall event, administrator input, network service change, and network service change request. Usage control method by attach function. A system for controlling the use by said one attach function of network services associated with a network system including one attach function, one or more other attach functions, and a network infrastructure, said system comprising: a. Means for forming a portion of a network system that obtains information associated with the network system, and b. Set up static and dynamic parsers for the attach function, monitor triggers in the network system, and modify the static parse, dynamic parse, or both based on the monitored triggers. Dynamic parse function module Usage control system by an attach function, characterized in that it comprises a. 19. The system of claim 18, wherein the dynamic parse function module is a centralization module of a parse server of a network infrastructure. The method of claim 18, -Means of storing the set and modified parcel history Usage control system by the attach function, characterized in that it further comprises. 21. The use control system according to claim 20, wherein the means for storing the set and modified parcel history forms part of a parcel server of a network infrastructure. 21. The usage control system of claim 20, wherein the means for storing the set and modified parsing history forms part of an interconnect device of the network infrastructure. 19. The system of claim 18, wherein the dynamic parser function module is a distributed module that forms part of two or more devices of a network infrastructure. 24. The system of claim 23, wherein the two or more devices are selected from a combination of one or more servers and one or more interconnect devices, or a combination of two or more interconnect devices. 21. The apparatus of claim 20, wherein said means for storing set and modified parsing history comprises means for caching the set and stored parsings in a centralized network device, in a local network device, or a combination of the two. Usage control system by an attach function, characterized in that. 19. The method of claim 18, wherein the means for obtaining information associated with the network system comprises IEEE 802.1X authentication, RADIUS authentication, or a combination of both of the attach functions. Control system. A system for controlling use by said one attach function of network services of a network system comprising one attach function, one or more other attach functions, and a network infrastructure, said system comprising: a. Means for forming a portion of a network system that obtains information associated with the network system, and b. A dynamic parser function that establishes dynamic parsers for network service usage by the attach function, monitors the triggers of the network system, and modifies the dynamic parsers for an attach function based on monitored triggers module Usage control system by an attach function, characterized in that it comprises a. 28. The system of claim 27, wherein the dynamic parse function module is a centralization module of a parse server of a network infrastructure. The method of claim 27, -Means of storing the set and modified parcel history Usage control system by the attach function, characterized in that it further comprises. 28. The system of claim 27, wherein the dynamic parser function module is a distributed module that forms part of two or more network devices of a network infrastructure. The method of claim 27, Means for caching configured and modified parsing history to one or more local network devices in the network infrastructure. Usage control system by the attach function, characterized in that it further comprises. The one attach of network services associated with a network system including the one attach function, one or more other attach functions, and a network infrastructure, based on one or more usage parsers assigned to one attach function. A system for controlling usage by functions, And the system comprises means for storing the allocated parcels in a network device of a network infrastructure. 33. The utilization control system of claim 32, wherein the means for storing the allocated parsers is a distributed module that forms part of two or more devices of the network infrastructure. Based on the dynamic parses assigned to one attach function, the one attach function, one or more other attach functions, and one attach function of network services associated with a network system including a network infrastructure. As a system for controlling use by And the system includes means for storing the allocated dynamic parcels as a parcel history. 35. The system of claim 34, wherein the parse history is stored in a parse server of a network infrastructure. 35. The usage control system of claim 34, wherein the parse history is stored in one or more local network devices of a network infrastructure. The one attach of network services associated with a network system including the one attach function, one or more other attach functions, and a network infrastructure, based on one or more usage parsers assigned to one attach function. A system for controlling usage by functions, And the system comprises means for caching the allocated usage parcels into a parcel history. The method of claim 37, Means for invalidating one or more of the cached parcel histories based on a specified event. Usage control system by the attach function, characterized in that it further comprises. 39. The usage control system of claim 38, wherein the specific event is selected from the group comprising time, size constraints, storage constraints, parsing changes, or network system changes. A method of controlling the use by said one attach function of network services associated with a network system comprising one attach function, one or more other attach functions, and a network infrastructure, said method comprising: a. Establishing one or more parsers for network service usage by the attach function, b. Storing the set one or more parcels as a parcel history, c. Monitoring the trigger of the parse history, and d. Modifying the parsers for the attach function based on the monitored trigger Usage control method by the attach function, characterized in that it comprises a.

Images